My anyway

Moscow, the Russian Federation

Effective Date: 01.07.2017



1.GENERAL PROVISIONS

The personal data processing policy (hereinafter: the “Policy”) is developed in accordance with Federal Law “On Personal Data” No. 152-FZ dated 27 July 2006 (hereinafter: “FZ - 152”).

This Policy establishes the procedure for personal data processing and measures to ensure security of the personal data to be applied at ANYWAYANYDAY HOLDING LIMITED, BVI Company No.: 1726035, Vanterpool Plaza, 2-nd floor, Wickhams Cay, I, Road Town, Tortola, the British Virgin Islands, (hereinafter: the “Operator”) in order to protect rights and liberties of an individual and a citizen while processing the personal data thereof, inter alia, a right to privacy, personal and family secrets.

The following basic terms and definitions are used in this Policy:

automated processing of personal data means the personal data processing using computer technology;

blocking of personal data means temporary interruption of the personal data processing (except where the processing is necessary to adjust the personal data);

information system of personal data means a combination of the personal data included into personal data databases and information technologies and hardware used to procure processing thereof;

anonymization of personal data means actions making it impossible to identify the personal data as related to a certain personal data subject without any additional information;

personal data processing means any action (operation) or a series of actions (operations) performed with the personal data, with or without automation facilities, including collection, recording, systematization, accumulation, storage, adjustment (updating, alteration), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion and destruction of the personal data;

operator means a state authority, municipal authority, legal or private person which (alone or jointly with other persons) organizes and (or) performs the personal data processing and defines purposes of the personal data processing, content of the personal data to be processed, and actions (operations) to be made with the personal data;

personal data means any information related (directly or indirectly) to an identified or identifiable individual (the personal data subject);

provision of personal data means actions aimed to disclose the personal data to a certain person or certain group of persons;

distribution of personal data means actions aimed to disclose the personal data to the public (personal data transfer) or to familiarize the general public with such data including disclosure of the personal data in mass media, posting thereof in information and telecommunication networks or granting access to the personal data in any other way;

trans-border transfer of personal data means the personal data transfer to a foreign country, foreign government authority, foreign individual or foreign legal person;

destruction of personal data means actions making it impossible to restore the personal data content in the information system of personal data and (or) resulting in destruction of tangible carriers of the personal data.

The Operator shall be obliged to publish or otherwise provide unrestricted access to this Personal Data Processing Policy in accordance with para 2 of Article 18.1 of FZ-152.

2. PRINCIPLES AND TERMS OF PERSONAL DATA PROCESSING

2.1 Principles of Personal Data Processing

The Operator shall process the personal data based on to the following principles:

  • on a legal and equitable basis;
  • the personal data processing shall be restricted with achievement of specific, predetermined and lawful purposes;
  • the personal data processing incompatible with purposes of the personal data collection shall be not allowed;
  • combination of databases, in which the personal data are being processed for mutually incompatible purposes, shall be not allowed;
  • the personal data meeting the processing purposes may only be processed;
  • contents and volume of the personal data being processed shall comply with the declared processing purposes;
  • processing of the personal data which are redundant with respect to the declared purposes of personal data processing shall be not allowed;
  • accuracy, adequacy and actuality of the personal data shall be ensured in relation to the purposes of personal data processing;
  • the personal data being processed shall be destroyed or anonymized upon achievement of the processing purposes or where such purposes are no longer relevant, where the Operator is unable to remove damages made to the personal data unless otherwise prescribed by a federal law.

2.2 Terms of Personal Data Processing

The Operator shall process the personal data where at least one of the following terms is met:

  • the personal data is processed with the personal data subject’s consent to processing of his/her personal data;
  • the personal data processing is necessary to comply with purposes established by an international treaty of the Russian Federation or under law, to enable the operator to perform and fulfill functions, powers and obligations imposed on the operator under the legislation of the Russian Federation;
  • the personal data processing is necessary to administer justice, to execute a judicial act or an act issued by any other authority or an officer which are enforceable under the Russian legislation on enforcement proceedings;
  • the personal data processing is necessary to perform an agreement to which the personal data subject is a party, a beneficiary or a guarantor, and to enter into an agreement on the initiative of the personal data subject or an agreement to which the personal data subject will be a beneficiary or a guarantor;
  • the personal data processing is necessary to exercise rights and legitimate interests of the operator or thirty parties, or to achieve socially significant goals provided that the rights and liberties of the personal data subject are not infringed;
  • the personal data processing includes the personal data to which access by the general public is granted by or at the request of the personal data subject (hereinafter: “publicly available personal data”);
  • the personal data being processed shall be published or disclosed in a mandatory manner under a federal law.

2.3 Confidentiality of Personal Data

The Operator and other persons who have obtained an access to the personal data shall not disclose the personal data to any third parties or distribute the personal data without the personal data subject’s consent unless otherwise provided for by a federal law.

2.4 Publicly Available Sources of Personal Data

For the purposes of information support, the Operator may create publicly available sources of personal data of the personal data subjects including directories and address books. The publicly available sources of personal data, with the written consent of the personal data subject, may include the subject's surname, first name, patronymic, date and place of birth, title, contact phones, email address and any other personal data provided by the personal data subject.

The information on the personal data subject shall be removed, at any time, from the publicly available sources of personal data whenever this is requested by the personal data subject, a body authorized to protect the personal data subjects’ rights or required by a court order.

2.5 Special Categories of Personal Data

The Operator may process special categories of personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, state of health, intimate life where:

  • the personal data subject has given his/her written consent to processing of his/her personal data;
  • the personal data have been made publicly available by the personal data subject;
  • the personal data are processed in accordance with the legislation on state social assistance, labor law, legislation of the Russian Federation on pensions and state pension benefits and on labor pensions;
  • the personal data processing is necessary to protect the life, health or other vital interests of the personal data subject or the life, health or other vital interests of any other persons but the personal data subject’s consent cannot be obtained;
  • the personal data are processed for medical and preventive purposes, to determine a medical diagnosis, to provide medical and medical-social services provided that the personal data are processed by a person who performs medical activities in a professional manner and who is obliged to maintain medical secrecy in accordance with the legislation of the Russian Federation;
  • the personal data processing is necessary to establish or exercise the rights of the personal data subject or of third parties, and in connection with effectuation of justice;
  • the personal data are processed in accordance with the laws on mandatory types of insurance, insurance legislation.

The processing of special categories of personal data which has been performed in cases provided for by item 4 of Article 10 of FZ-152 shall be immediately terminated where the processing reasons have been eliminated unless otherwise prescribed by a federal law.

The Operator may process personal data regarding criminal convictions only in cases and according to procedures set forth by federal laws.

2.6 Biometric Personal Data

The Operator may process details which characterize physiological and biological features of a person based on which he/she may be identified (biometric personal data) only with the written consent of the personal data subject.

2.7 Assignment of Personal Data Processing to Other Persons

The Operator may authorize and instruct any other person to process the personal data with the personal data subject’s consent unless otherwise prescribed by a federal law, based on an agreement to be entered into with this person. A person processing the personal data upon the Operator’s instruction shall observe the principles and rules of the personal data processing set forth by FZ-152 and this Policy.

2.8 Processing of Personal Data of Russian Federation Citizens

Pursuant to Article 2 of Federal Law No. 242-FZ “On amendments to certain legislative acts of the Russian Federation related to adjustment of the procedure for personal data processing in information and telecommunication networks» dated 21 July 2014, when collecting personal data, inter alia, when using the information and telecommunication network Internet, the operator shall ensure recording, systematization, accumulation, storage, adjustment (updating, alteration), extraction of the personal data of the Russian Federation citizens using databases located within the Russian Federation except as follows:

  • the personal data processing is necessary to comply with purposes established by an international treaty of the Russian Federation or under law, to enable the operator to perform and fulfill functions, powers and obligations imposed on the operator under the legislation of the Russian Federation;
  • the personal data processing is necessary to administer justice, to execute a judicial act or an act issued by any other authority or an officer which are enforceable under the legislation of the Russian Federation on enforcement proceedings (hereinafter: execution of a judicial act);
  • the personal data processing is necessary to fulfill powers imposed on federal executive authorities, authorities of state non-budget funds, executive government authorities of federal subjects of the Russian Federation, local authorities and functions of organizations involved in provision of state and municipal services, accordingly, under Federal Law No. 210-FZ “On organization of provision of state and municipal services” dated 27 July 2010, including registration of the personal data subject on the  unified portal for state and municipal services and (or) regional portals for state and municipal services;
  • the personal data processing is neсessary to conduct professional activity as journalist and (or) legal activity as mass media, or to perform scientific, literary or other creative activity provided that the rights and legitimate interests of the personal data subject are not infringed.

2.9 Trans-Border Transfer of Personal Data

The Operator shall make sure that any foreign state where the personal data are to be transferred ensures adequate protection of the personal data subjects’ rights before commencing such transfer.

The trans-border transfer of personal data to foreign states which do not ensure adequate protection of the personal data subjects’ rights may be carried out in the following cases:

  • the personal data subject has provided his/her written consent to trans-border transfer of his/her personal data;
  • for the purpose of performing an agreement to which the personal data subject is a party.

3. RIGHTS OF THE PERSONAL DATA SUBJECT

3.1 Consent of the Personal Data Subject to Processing of his/her Personal Data

The personal data subject shall, freely, willingly and in his/her own interest, make a decision to provide his/her personal data and give his/her consent to processing thereof. The consent to personal data processing may be given by the personal data subject or his/her representative in any form which makes it possible to confirm receipt thereof unless otherwise prescribed by a federal law.

3.2 Rights of the Personal Data Subject

The personal data subject shall be entitled to obtain from the Operator information relating to processing of his/her personal data if such right is not limited under federal laws. The personal data subject may require the Operator to adjust his/her personal data, to block or destroy them where such personal data are incomplete, outdated, inaccurate, illegally obtained or inessential for the declared purpose of processing, and also to take statutory actions to protect his/her rights.

The personal data processing for marketing goods, works, services by making direct contacts with the personal data subject (a potential consumer) using communication means and for political agitation shall be permitted  only  subject to a prior consent of the personal data subject.

The Operator shall, upon request by the personal data subject, immediately terminate processing of his/her personal data for the above-mentioned purposes.

It shall be prohibited to make decisions which cause legal consequences for the personal data subject or otherwise affect his/her rights and legitimate interests only based on the automated processing of personal data except for cases contemplated by federal laws or subject to a written consent of the personal data subject.

Where the personal data subject believes that the Operator violates the requirements set forth in FZ-152 in processing his/her personal data or otherwise infringes his/her rights and liberties, the personal data subject may appeal against actions or omissions of the Operator to a body authorized to protect the personal data subjects’ rights or through legal action.

The personal data subject shall have the right to protect his/her rights and legitimate interests including the right to indemnity for losses and/or compensation for moral injury.

4. PERSONAL DATA SECURITY

When processing the personal data, the Operator shall ensure security of the personal data by taking legal, organizational and technical measures necessary to observe federal laws concerning personal data security.

The Operator shall take the following organizational and technical measures to prevent unauthorized access to the personal data:

  • to appoint persons to be responsible for organization of the personal data processing and security;
  • to limit a list of persons authorized to process the personal data;
  • to familiarize the personal data subjects with requirements of federal law and the Operator’s regulations concerning the personal data processing and security;
  • to organize recording, keeping and handling of media containing the personal data;
  • to identify security threats while processing the personal data and creates relevant threat models;
  • to develop a personal data security system based on a threat model;
  • to check readiness and effectiveness of information security tools;
  • to limit users’ access to information resources and to hardware and software used for information processing;
  • to register and record actions made by users of the information systems of personal data;
  • to use antivirus tools and means of restoring the personal data security system;
  • where necessary, to make use of firewalls, intrusion detection, security analysis and cryptographic security tools;
  • to organize an access to the Operator’s premises and security for areas where technical facilities for the personal data processing are located.

5. FINAL PROVISIONS

Any other rights and obligations of the Operator connected with the personal data processing shall be established by the legislation of the Russian Federation concerning personal data.

The Operator’s employees who violate the personal data processing rules and security thereof shall bear financial, disciplinary, administrative, civil or criminal liability under federal laws.

This document is made in Russian. The translation hereof in any other language shall be additional and placed for convenience of the User only. Should any discrepancies between the Russian version and translations hereof arise, the Russian version shall prevail.